We can change the context of certain directories, if we so wish. This can be done because we need to alter permissions or because we moved a file between locations — while context is inherited for all files created within a folder, moved files retain their original context.
Let’s say we moved a new index.html file into our /var/www/html directory:
[olm@olm ~]$ sudo mv index.html /var/www/html/ [olm@olm ~]$ cd /var/www/html/ [olm@olm html]$ ls -Z -rw-rw-r--. vagrant vagrant unconfined_u:object_r:user_home_t:s0 index.html
This example is particularly appropriate, because we can see the effects of SELinux in practice. Should we try to view our index.html file through our web browser, we receive a Forbidden error. This is because, as shown above, it retains its original user_home_t type, not the httpd_sys_content_t context it needs. This can be changed with the restorecon command:
[olm@olm html]$ restorecon index.html [olm@olm html]$ ls -Z -rw-rw-r--. vagrant vagrant unconfined_u:object_r:httpd_sys_content_t:s0 index.html
restorecon uses SELinux’s default contexts to ensure all files are the appropriate type. In this instance, it sees that index.html is part of the var/www(.*)? directory and ensures it inherits the appropriate contexts.
Alternatively, say we moved the entire html/ directory over and need to change SELinux context for the whole thing. Assume, for whatever reason, our server does not have the necessary default SELinux policies for Apache. For this, we can use semanage to change the type context:
semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?'
The -t flag denotes type. Additionally, notice the inclusion of (/.*)? — this tells SELinux that the file and directories under the /var/www/html directory inherit this style, as well.
Should we need to, we can also delete a directory’s context:
semanage fcontext -d "/var/www/html(/.*)?"
Even by managing SELinux context and permissions, we have barely scratched the surface of this in-depth tool. Check back at the blog for more Exploring SELinux, or go to LinuxAcademy.com for more lessons on SELinux and other systems administration and security topics.
Last edited by Olm, 2017-10-20 15:03:09